Safari Compromised Passwords

[Buadhai]

I wonder how many of you have gone through the tedious process of dealing with all the passwords that Safari finds to be compromised. My list had dozens and dozens. But, going through them I find:

• Many are from websites that no longer exist
• Many are from websites where I have already changed the password, but Safari did not update the new password
• Almost all of them say "last modified 8/7/20". I wonder what the significance of that date is?

After doing about 50 this morning. I have 824 to go.

I don't know if I can stomach the task.

There must be an easier way.

Any ideas?

 

[PhoenixDown]

Ugh! ... been putting that off, sounds like a **** show. Maybe I should stop using Keychain and use 1Pass exclusively.

 

[Buadhai]

It's quite irritating that the Keychain contains multiple entires for a single website with the same user name but different passwords that I've used over the years, including the current one which is not compromised and which is secure and complex. That website still appears in the Safari list of compromised passwords because one of the old passwords was junk. Why didn't Keychain just overlay the old entries? Makes for a lot of extra work.

 

[The_Auryn]

It does have an option to "hide" password problems that you're okay with. I actually love it and check it every day. It alerted me that my AOL email address and password were hacked and found on the dark web. I changed the password immediately but have noticed a tremendous increase in spam since that time. I also am a bit miffed with AOL that they never alerted me to the password breach. In the last several months, I've had several hacks, but usually minor websites.

 

[Buadhai]

I agree. It's a great idea, but they need a better way to deal with hundreds of compromised passwords. Just hiding them is really not dealing with them. And dealing with them one-by-one is going to be an overwhelming task.

For example, HI5 showed up on the list as having a reused and compromised password. Although I haven't logged on to HI5 in maybe 20 years, I figure I ought to deal with it to prevent anyone from logging on to my account, which still exists. But, changing the password has proved to be impossible and tedious. You have log in. Then you have to do a captcha. Then they send a code to your email address. The email address is correct, but the code never arrived after three attempts. So, I've spent 15 or 20 minutes dealing with one website and remain stuck on it.

So, what now? Ignore it? Keep trying? Move on?

 

[TorbenIbsen]

I used 1Password for years. Because I used "serure notes" and also had several documents stored in 1Password. The great thing was that everything could synchronize between my Mac, iPad and iPhone. Apple could not do that. There was about 250 login/passwords and about the same number of secure notes/documents.

These days Apple can do nearly the same as 1Password. So I started to use iCloud Keychain in combination with "locked notes" in Apple Notes.

I took one login/password at a time and let Apple automatically create a new, strong password. For each one I made a locked note with the website and comments. Even the password in some cases. (There are a few password which are made by me, so they are easier to type on my Apple TV 4K).

I took all sites where money/credit cards was involved first. So bank, Apple, subscriptions and the like. Then the rest of those sites I actually use on top of those. Eventually, being thorough as German, I took the rest. - But had there been a ton of totally outdated logins I would probably have ignored most of them. I would just check that they now would be harmless.

Having read about the Lastpass incident I am happy I made the effort. The cleanup of all those 1Password secure notes was a nice bonus. No junk this time.

 

[Buadhai]

I am happy I made the effort. The cleanup of all those 1Password secure notes was a nice bonus. No junk this time.

Of course, you right. And, your methodology, although tedious and time consuming, is probably the only way to proceed. It's going to take me many, many days.

So far, I've not really come across many risky sites that still have a vulnerable password. I suppose I've changed those over time after being warned; first by 1Password and now by Apple.

I may go ahead and cull the outdated sites first so that what remains doesn't seem so daunting.

Thanks.

 

[Fishrrman]

I just have to ask:
How does one accumulate 824 (or more) passwords?

100... 150, ok, I understand (I just checked and found 134 passwords in my self-constructed password database).

But 800+, approaching 1,000?
Inquiring minds want to know.

 

[NoBoMac]

I may go ahead and cull the outdated sites first so that what remains doesn't seem so daunting.

This.

And/or prioritize the accounts. Do the mission critical accounts first (eg. email services, ISPs, Apple, financial institutions) and then go through most active accounts, less active, even more less active, etc. Did this when I cleaned up my passwords years ago.

And can't stress the email part enough: change the password and turn on 2FA if available since that is one of those places that "here's the link to reset your password" email show up and don't want bad guys to be easily read/get into your mail.

 

[Buadhai]

I just have to ask:
How does one accumulate 824 (or more) passwords?

100... 150, ok, I understand (I just checked and found 134 passwords in my self-constructed password database).

But 800+, approaching 1,000?
Inquiring minds want to know.

Well, I've been doing this for a very long time. (I published my first website in 1996.) Since I've lived overseas (out of the mainland US) since 1978, I've had to do an awful lot of stuff online. Also, note that there are many duplicates and near duplicates. I think that Keychain doesn't do a great job of managing this. For example, why are there entries for both

https://clamxav.com/ and https://www.clamxav.com/

?

Here's a small sample:

http://www.bikeforums.net/
https://vault.bitwarden.com/
https://www.blio.com/
https://www.blogger.com/
https://bloom.express/
https://www.payment.bluemountain.com/
https://www.booknotification.com/
https://w1.buysub.com/
https://www.capitalone.com/
https://login2.capitalone.com/
https://myaccounts.capitalone.com/
https://verified.capitalone.com/
https://creditwise.capitalone.com/
https://www.capitalone.com/
https://login1.capitalone.com/
https://fep.careenhance.com/
https://www.caremark.com/
https://caseofy.com/
https://www.cathaypacific.com/
https://api.cathaypacific.com/
https://www.cathaypacific.com/
https://api.cathaypacific.com/
https://help.cbp.gov/
https://login.celebrations.com/
https://www.central.co.th/
https://www4.citizensbankonline.com/
https://clamxav.com/
https://www.clamxav.com/
https://click2mail.com/
https://dash.cloudflare.com/
http://www.cloudmade.com/
https://asia.cloudns.net/
https://download.cnet.com/
https://secure-download.cnet.com/
https://forums.cocoaforge.com/
http://support.cocoatech.com/
http://support.cocoatech.com/
https://support.cocoatech.com/
http://www.codecademy.com/
https://www.codecademy.com/
https://codecademy.com/

 

[Buadhai]

And/or prioritize the accounts. Do the mission critical accounts first (eg. email services, ISPs, Apple, financial institutions) and then go through most active accounts, less active, even more less active, etc. Did this when I cleaned up my passwords years ago.

I've already gone through and looked at all the critical accounts. Almost all of them are duplicates (see post above) where the "compromised" password had already been changed by me, but Keychain retained the entry with the old password.

For example, Keychain has six entries for fepblue.org (health insurance). However, only the oldest one has a compromised password. The most recent ones have a Safari-generated complex password.

 

[Buadhai]

So, after reading all of the contributions above (thank-you), here's my workflow. This on an Intel iMac.

On an external monitor I have windows open for Safari Passwords, Keychain Access and Bitwarden. The main screen has a large Safari browsing window:

1. Pick a site from Safari Passwords with a compromised password and look at the password.
2. Enter the domain in the Keychain Access search window.
3. Check to see if there is a more recent entry for the site with a secure password. If so, delete the entry in Safari Passwords, make sure Bitwarden is up-to-date and move on. If not:
4. Go to the website and change the password. Enable 2FA, if available.
5. Make sure Keychain Access and Bitwarden have the updated password.

The fun factor here is zero.

 

[The_Auryn]

Another good website along the same interest: https://haveibeenpwned.com/Passwords

 

[Buadhai]

I've been at this for two days now for a total of maybe six hours. I still have over 200 compromised passwords to deal with.

It has been amazing.

Several of the websites are in Thai which I read only haltingly, so that's been a challenge.

Docusign wanted to send me a text message so I gave them my Skype number. When I want to Skype it wanted me to log in again because my password had changed? Huh? I hadn't gotten to Skype yet. Oh, yeah, Microsoft now owns Skype so my Skype password is now my Microsoft password which I had changed.

Then there's an Australian website called Pub Tipping. I have no idea why I have an account on Pub Tipping or what it's all about. However, after I changed my password they flooded me with something called "Tips":

VENUE NAME
Millers Inn
COMPETITION NAME
AFL
PRIZE DESCRIPTION:
Schooner Beer 425ML OR SUB DRINKS​

Evernote never would let me get to a page where I could change my password. It kept wanting me to buy an upgrade. If anyone needs to waste ten or fifteen minutes I'll gladly supply my compromised username and password. Have fun.

Another side effect of all this is that sites I haven't visited in years have noticed that I'm still alive and have started sending me email. So, in addition to changing the passwords I'm now tasked with unsubscribing from mailing lists.

I've also learned that there's something called a ".wellknown" folder in the public_html (or other) directory of some websites. (Unbeknownst to me, mine has one.) Safari sometimes uses this when you click the "Change Password on Website" button.

Thanks to Expedia I've been able to identify a cartoon snail multiple times. Captcha!

I've also learned that sometimes, even when Safari suggests a new password it will not immediately update the Keychain file. So, even if it show the Date Modified as the current time, the Keychain entry will still contain the old password with which you logged in. This is nasty.

I never could figure out how to change my password on fool.com. They emailed me a temporary six digit code, with which I logged in. Finally I just deleted the account.

I could go on. Perhaps I will, later.

 

[Buadhai]

Been working on this a few hours a day for five days now. (It's Sunday here.)

I have 178 compromised passwords to go.

 

[smoking monkey]

Yeah it's a PITA to do so, but once it's done, it will feel great.

I did it a few years back and it took yonks, but I didn't have 800!

 

[Buadhai]

Only 111 to go! Progress.

It's amazing how many different methods there are to change your password on a website.

A very few make it easy and obvious, but on others it's a real struggle to find the change password page. In several instances I've had to do a search to figure out how to change a site's password. (ASICS Runkeeper is one example.)

Some want to verify your email before you change your password.

Some send you a password update link via email.

Some want you to enter your new password twice, some only once.

Some encourage you to set up 2FA. Most don't seem to offer it.

A very few offer login via Apple, Google, etc.

Fewer than a handful I've come across off login via passkey.

There are a few ways that Apple could make this cleanup process a whole lot easier. One of them would be remove from the keychain entries that have been superseded by new entries with non-compromised passwords. I shouldn't have to check that myself. (I'm poor at such tasks. Computers tend to be better and more thorough.)

 

[Buadhai]

I never could get 2FA to worth with Withings Health Mate. It uses your phone number to send a code. My phone number is in Thailand and works fine with other sites as 2FA. With Withings I just kept getting a message: "An unexpected error occurred, please try again." I ended up having to use a recovery code to get access to my account after which I disabled 2FA.

Just an example of how a simple password change can end up consuming way more time than it should.

Only 33 to go.

 

[Buadhai]

Finished!​

Certainly one of the most boring, tedious and frustrating tasks in which I have ever been engaged.

There must be an easier way.

Tomorrow? A richly deserved week at the beach.